b'      Department of Homeland Security\n\n\n\n\n\n           Major Management Challenges Facing the \n\n               Department of Homeland Security \n\n\n\n\n\nOIG-13-09 (Revised)                         December 2012\n\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                              Department of Homel and Security\n\n\n\n                                   DEC 2 1 2012\n\nMEMORANDUM FOR :              The Honorable Janet Napolitano\n                              Secretary\n\nFROM:                        Charles K. Edwards\n                             Acting Inspector Genera   c01~~      ~.\n                                                                                        .\n\n\nSUBJECT:                      Major Management Challenges\n                              Facing the Department of Homeland Security\n\nAttached for your information is our revised annual report, Major Management\nChallenges Facing the Deportment of Homeland Security, for inclusion in the\nDepartment of Homeland Security 2012 Annual Finan(ial Report. The original report\ncontained three incorrect footnotes; however we have corrected the three footnotes in\nt he report. Please see the attdched erratd page for details.\n\nShould you have any questions, please call me, or your staff may contact\nAnne L. Richards, Assistant Inspector General for Audits, at (202) 254\xc2\xb74100.\n\n\nAttachment\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n                                                \n\n\n\n        Major Management Challenges Facing the \n\n                Department of Homeland Security \n\n\nThe attached report presents our fiscal year 2012 assessment of the major management\nchallenges facing the Department. As required by the ReportsfConsolidationfActfoff2000\n(Public Law 106-531), we update our assessment of management challenges annually.\nAs stipulated, the report summarizes what the Inspector General considers to be the\nmost serious management and performance challenges facing the agency and briefly\nassesses the agency\xe2\x80\x99s progress in addressing those challenges.\nAs in previous years, the Department\xe2\x80\x99s major challenges are reported in broad areas.\nFor better understanding of how these areas relate to the overall operations of the\norganization, they have been categorized into two main themes: Mission Areas and\nAccountability Issues.\n\n\nMission Areas\n   \xe2\x80\xa2   Intelligence\n   \xe2\x80\xa2   Transportation Security\n   \xe2\x80\xa2   Border Security\n   \xe2\x80\xa2   Infrastructure Protection\n   \xe2\x80\xa2   Disaster Preparedness and Response\n\nAccountability Issues\n   \xe2\x80\xa2   Acquisition Management\n   \xe2\x80\xa2   Financial Management\n   \xe2\x80\xa2   IT Management\n   \xe2\x80\xa2   Grants Management\n   \xe2\x80\xa2   Employee Accountability and Integrity\n   \xe2\x80\xa2   Cyber Security\n\n\n\n\nwww.oig.dhs.gov                                1                                       OIG-13-09\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\n\n\n                           Mission Areas\n\nSecuring the Nation against the entire range of threats that we face in an evolving\nlandscape is a difficult task. The vision and purpose of the Department of Homeland\nSecurity (DHS) is to ensure a homeland that is safe, secure, and resilient against\nterrorism and other hazards where American interests, aspirations, and way of life can\nthrive.1 At its establishment in 2003, the Department faced the challenge of building a\ncohesive, effective, and efficient Department from 22 disparate agencies, while\nsimultaneously performing the mission for which it was created. As a whole, DHS has\nmade progress in coalescing into a more cohesive organization to address its key\nmission areas to secure our Nation\xe2\x80\x99s borders, increase our readiness, build capacity in\nthe face of a terrorist threat or a natural disaster, and enhance security in our\ntransportation systems and trade operations.\n\n\nIntelligence\nOverview\nIntelligence is vital to DHS\xe2\x80\x99 framework for securing the Nation. The development,\nblending, analysis, and sharing of intelligence with appropriate Federal, State, local,\ntribal, and territorial officials, as well as with private sector partners, must be timely and\nwell coordinated to effectively predict terrorist acts.\n\nDepartment intelligence programs, projects, activities, and personnel, including the\nintelligence elements of seven key DHS components, as well as the Office of Intelligence\nand Analysis (I&A), make up the DHS Intelligence Enterprise. I&A is charged with\nensuring that intelligence from the DHS Intelligence Enterprise is analyzed, fused, and\ncoordinated to support the full range of DHS missions and functions, as well as the\nDepartment\'s external partners. The components, most of which predate the creation\nof the Department, have intelligence elements that provide support tailored to their\nspecialized functions and contribute information and expertise in support of the\nDepartment\'s broader mission set.2\n\n\n\n1\n  http://www.dhs.gov/our-mission\n2 Statement for the Record of Caryn A. Wagner, Under Secretary and Chief Intelligence Officer, Office of\nIntelligence and Analysis, before the Subcommittee on Counterterrorism and Intelligence House\nCommittee on Homeland Security, "The DHS Intelligence Enterprise - Past, Present, and Future," June 1,\n2011.\n\n\n\nwww.oig.dhs.gov                                         2                                             OIG-13-09\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n\nChallenges\nImproving and enhancing support to fusion centers remains a challenge for the\nDepartment. To promote greater information sharing and collaboration among Federal,\nState, and local intelligence and law enforcement entities, State and local authorities\nestablished fusion centers throughout the country. A fusion center is a collaboration of\ntwo or more agencies to receive, gather, analyze, and disseminate information\nintending to detect, prevent, investigate, and respond to criminal or terrorist activity.\nThe State and Local Program Office (SLPO), within the Office of Intelligence and Analysis,\nis responsible for coordinating and ensuring departmental support to the National\nNetwork of Fusion Centers.\n\nIn our fiscal year (FY) 2012 review, \xe2\x80\x9cDHS\xe2\x80\x99fEffortsftofCoordinatefandfEnhancefItsfSupportf\nandfInformationfSharingfwithfFusionfCenters,\xe2\x80\x9dfwe assessed: (1) whether the SLPO\nsatisfies the intent of DHS\xe2\x80\x99 recommitment to the State, Local, and Regional Fusion Center\nInitiative; (2) whether planned SLPO efforts will ensure coordinated support of DHS and\nits components to provide needed information and resources to fusion centers; and (3)\nif any functional or organizational challenges in DHS hinder its successful support of\nfusion centers.\n\nAccomplishments\nDHS indicated that it has taken significant steps to improve the integration and\ncoordination of intelligence products and processes across the Department. An\nenhanced analytic plan developed by I&A links data from disparate sources to help\nidentify unattributed cyber intrusions threatening Federal and private sector networks.\nWe determined that since July 2009, the SLPO has increased field support to fusion\ncenters, worked to improve fusion center capabilities, and engaged DHS components.\nEfforts to develop a department-wide fusion center support strategy are ongoing, but\nimprovements are needed to enhance the I&A\xe2\x80\x99s field deployments and DHS component\nsupport.3\n\n\n\n\n3\n DHS-OIG, DHS\xe2\x80\x99fEffortsftofCoordinatefandfEnhancefItsfSupportfandfInformationfSharingfwithfFusionf\nCentersf(OIG-12-10, November 2011).\n\n\n\nwww.oig.dhs.gov                                        3                                            OIG-13-09\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n\nTransportation Security \n\nOverview\nThe Transportation Security Administration (TSA) is responsible for protecting the\ntransportation system and ensuring the freedom of movement for people and\ncommerce. The Nation\xe2\x80\x99s economy depends upon secure, yet efficient transportation\nsecurity measures. Airport security includes the use of various technologies to screen\npassengers and their baggage for weapons, explosives, and other prohibited items, as\nwell as to prevent unauthorized access to secured airport areas. As part of its\nresponsibility, TSA is required to assess and test airport security measures on an\nongoing basis to ensure compliance with policies and procedures and prevent security\nbreaches.\n\nChallenges\nIn spite of TSA\xe2\x80\x99s efforts, it continues to face challenges in passenger and baggage\nscreening, airport security, the Secure Flight Program, airport badging, passenger air\ncargo security, training, as well as in providing oversight for the security of all modes of\ntransportation including rail and mass transit.\n\nAviation\n\nIn regard to passenger and baggage screening, the AviationfandfTransportationfSecurityf\nAct requires TSA to prescribe requirements for screening or inspecting all passengers,\ngoods, and property before entry into secured areas of an airport. 4\n\nIn its review of airport security, DHS OIG conducted covert testing of airport access\ncontrols as well as passenger and baggage screening. 5 Although test results are\nclassified, access control and checkpoint screening vulnerabilities were identified at the\ndomestic airports tested. Although Transportation Security Officers (TSO) were\nultimately responsible for not fully screening checked baggage, our audit identified\nadditional improvements that TSA can make in the evaluation of new or changed\nprocedures, and improvements in supervision of TSOs that could have mitigated the\nsituation.\n\nIn FY 2012, a congressional request led to a review of TSA\xe2\x80\x99s policies and practices\ngoverning its use of full-body x-ray screening equipment (general-use backscatter units)\n\n4\n    Public Law 107-71, November 19, 2001.\n\n5\n    DHS-OIG, (U)fCovertfTestingfoffAccessfControlsftofSecuredfAirportfAreas (OIG-12-26, January 2012).\n\n\n\n\nwww.oig.dhs.gov                                            4                                              OIG-13-09\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\nfor airport security. Congressman Edward J. Markey was concerned about the safety of\nthe doses of radiation emitted by the units. TSA began deploying general-use\nbackscatter units in March 2010, with 247 units operating in 39 commercial airports\naround the country at the time of publication of the FY 2012 backscatter unit report. In\nthe United States, an x-ray system is considered compliant with requirements for\ngeneral-purpose security screening of humans if it complies with standards of the\nAmerican National Standards Institute.\n\nIndependent radiation studies conducted by professional organizations concluded that\nradiation levels emitted from backscatter units were below the acceptable limits. TSA\nentered into interagency agreements for additional radiation safety surveys and\ndosimetry measurement of the dose of radiation emitted by a radiation-generating\ndevice monitoring studies to document radiation doses to agency personnel and\nindividuals being screened. All studies concluded that the level of radiation emitted was\nbelow acceptable limits.\n\nThe Secure Flight Program was implemented in October 2008 in an effort to bolster the\nTSA security directives established after the terrorist attacks of September 11, 2001.\nUnder this program, TSA receives specific passenger and non-traveler data from the\nairlines and matches it against the government\'s watch list. TSA then transmits a\nboarding pass, with results back to the aircraft operator, so a boarding pass can be\nissued.\n\nTSA relies on designated airport operator employees to process the badging\napplications. A July 2011 audit report showed that individuals who pose a threat may\nobtain airport badges and gain access to secured airport areas.6 We analyzed vetting\ndata from airport badging offices and identified badge holder records with omissions or\ninaccuracies in security threat assessment status, birthdates, and birthplaces. These\nproblems existed because TSA did not: (1) ensure that airport operators had quality\nassurance procedures for the badging application process; (2) ensure that airport\noperators provided training and tools to designated badge office employees; and (3)\nrequire Transportation Security Inspectors to verify the airport data during their\nreviews.\n\nThrough passenger air cargo security, approximately 7.6 million pounds of cargo are\ntransported on passenger planes each day. The Code of Federal Regulations (49 CFR)\nrequires that, with limited exceptions, passenger aircraft may only transport cargo\noriginating from a shipper that is verifiably \xe2\x80\x9cknown\xe2\x80\x9d either to the aircraft operator or to\nthe indirect air carrier that has tendered the cargo to the aircraft operator. Through\ncovert testing we identified vulnerabilities in cargo screening procedures employed by\n6\n DHS-OIG, TSA\xe2\x80\x99sfOversightfoffthefAirportfBadgingfProcessfNeedsfImprovementf(Redacted)f(OIG-11-95, July\n2011).\n\n\n\nwww.oig.dhs.gov                                       5                                           OIG-13-09\n\x0c                               OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\n\nair carriers and cargo screening facilities to detect and prevent explosives from being\nshipped in air cargo transported on passenger aircraft.7 Although TSA has taken steps to\naddress air cargo security vulnerabilities, the agency did not have assurance that cargo\nscreening methods always detected and prevented explosives from being shipped in air\ncargo transported on passenger aircraft.\n\n We conducted a review to determine how TSA identifies, reports, tracks and mitigates\nsecurity breaches at airports nationwide.8 We determined that TSA does not have\nguidance for and oversight of the reporting process. This need for guidance resulted in\nthe agency missing opportunities to strengthen airport security. TSA agreed with the\nrecommendations in our report, and as a first step, is developing a standard definition\nof a security breach. In addition, TSA is also updating its airport performance metrics to\ntrack security breaches and airport checkpoint closures at the national, regional, and\nlocal levels.\n\nRail and Mass Transit\n\nPassenger rail stations are attractive terrorist targets because of the large number of\npeople in a concentrated area. Amtrak provides passenger rail service for nearly 27\nmillion passengers every year, using approximately 22,000 miles of rail in 46 states and\nthe District of Columbia. Although grant recipients, such as Amtrak, transit agencies,\nand State and local authorities, coordinated risk mitigation projects at high-risk rail\nstations, Amtrak did not always use grant funds to implement mitigation strategies at\nthe highest risk rail stations, in terms of casualties and economic impact.9 Amtrak did\nnot mitigate critical vulnerabilities reported in risk assessments. These vulnerabilities\nremain because TSA: (1) did not require Amtrak to develop a corrective action plan\naddressing its highest ranked vulnerabilities; (2) approved Amtrak investment\njustifications for lower risk vulnerabilities; and (3) did not document roles and\nresponsibilities for the grant award process.\n\nAccomplishments\nTSA has taken action as recommended by our audit and inspection work. For instance,\nthe agency began developing detailed utilization reports to ensure that the AIT units\n\n\n\n7\n  DHS-OIG, EvaluationfoffScreeningfoffAirfCargofTransportedfonfPassengerfAircraftf(OIG-10-119, \n\nSeptember 2010). \n\n8\n  DHS-OIG, TransportationfSecurityfAdministration\xe2\x80\x99sfEffortsfTofIdentifyfandfTrackfSecurityfBreachesfatfOurf\n\nNation\xe2\x80\x99sfAirports (OIG-12-80, May 2012).\n\n9\n  DHS-OIG, DHSfGrantsfUsedfforfMitigatingfRisksftofAmtrakfRailfStationsf(Redacted) (OIG-11-93,\nJune 2011).\n\n\n\nwww.oig.dhs.gov                                          6                                             OIG-13-09\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n\ndeployed are being used efficiently. TSA has also developed more training for TSOs,\nwhich should help their performance.\n\nSince the Secure Flight Program assumed responsibility for passenger prescreening, TSA\nhas provided more consistent passenger prescreening. The program has a defined\nsystem and processes to conduct watch list matching. To ensure that aircraft operators\nfollow established procedures, the Secure Flight Program monitors records and uses its\ndiscretion to forward issues for compliance investigation. The program also includes\nprivacy safeguards to protect passenger personal data and sensitive watch list records\nand information. The Secure Flight Program focuses on addressing emerging threats\nthrough multiple initiatives.\n\nTSA issued a management directive giving the Operational and Technical Training\nDivision responsibility for overall management of the analysis, design, development, and\nimplementation of TSO training programs.\n\nTo identify and track security breaches better, TSA is refining the definition of what\nconstitutes such breaches and implementing a tool to provide more oversight in this\narea. In addition, TSA is also updating its airport performance metrics to track security\nbreaches and airport checkpoint closures at the national, regional, and local levels.\n\nTSA continues to work on improving operations, keeping us informed of the progress\nmade in response to our work.\n\n\nBorder Security\nOverview\nSecuring the Nation\'s borders from illegal entry of aliens and contraband, including\nterrorists and weapons of mass destruction, while welcoming all legitimate travelers and\ntrade, continues to be a major challenge. DHS apprehends hundreds of thousands of\npeople and seizes large volumes of illicit cargo entering the country illegally each year.\nUnited States Customs and Border Protection (CBP) is responsible for securing the\nNation\'s borders at and between the ports of entry. Within CBP, the mission of the\nOffice of Border Patrol helps secure 8,607 miles of international borders.\n\nChallenges\nAlthough CBP has made progress in securing our borders, it continues to face challenges\nin the areas of the Free and Secure Trade program (FAST), bonded facilities, unmanned\naircraft systems, and U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT).\n\n\nwww.oig.dhs.gov                                 7                                      OIG-13-09\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n\nFAST is a commercial clearance program for pre-enrolled commercial truck drivers\nentering the United States from Canada and Mexico designed to facilitate the free flow\nof trade. FAST allows for expedited processing of enrolled trusted travelers, including\nFAST drivers who fulfill certain eligibility requirements. However, FAST\xe2\x80\x99s eligibility\nprocesses do not ensure that only eligible drivers remain in the program. CBP is\nhampered in ensuring that Mexican citizens and residents in the program are low risk\nbecause Mexico does not share Southern border FAST information with the United\nStates to assist in vetting and monitoring drivers\xe2\x80\x99 eligibility. Although renewal is\nrequired every 5 years, ineligible drivers may be actively enrolled in the program,\nexposing the agency to increased risk of compromised border security.10\n\nCBP is responsible for cargo security, including the accountability of the transfer to and\nstorage of cargo at privately owned and operated bonded facilities. Based on audited\nbackground checks at 41 bonded facilities at five seaports, CBP did not have effective\nmanagement controls to ensure that bonded facility employees do not pose a security\nrisk at these facilities. Additionally, CBP neither issued national requirements for\nbackground checks on employees of bonded facilities nor ensured that port directors\nhad management controls over background checks at these facilities. As a result,\nbackground checks were inconsistent and often ineffective. This may put bonded\nfacilities at greater risk for terrorist exploitation, smuggling, and internal conspiracies.\nCBP and United States Immigration and Customs Enforcement\xe2\x80\x99s (ICE\xe2\x80\x99s) Joint Fraud\nInvestigative Strike Teams conducted unannounced investigations of bonded facilities\nresulting in the detention of more than 350 undocumented workers and workers with\noutstanding arrest warrants.11\n\nUnmanned aircraft systems help secure the Nation\'s borders from illegal entry of aliens,\nincluding terrorists, and contraband, including weapons of mass destruction. These\nlong-endurance, medium-altitude remotely piloted aircrafts provide reconnaissance,\nsurveillance, targeting, and acquisition capabilities. CBP did not adequately plan\nresources needed to support its current unmanned aircraft inventory. Although CBP\ndeveloped plans to use the unmanned aircraft\xe2\x80\x99s capabilities, its Concept of Operations\nplanning document did not adequately address processes: (1) to ensure that required\noperational equipment was at each launch and recovery site; (2) for stakeholders to\nsubmit unmanned aircraft mission requests; (3) to determine how mission requests\nwere prioritized; and (4) to be reimbursed for missions flown for stakeholders. CBP risks\nhaving substantially invested in a program that limits resources and its ability to achieve\nOffice of Air and Marine mission goals.12\n\n\n10\n  DHS-OIG, FreefandfSecurefTradefProgram-ContinuedfDriverfEligibility (OIG-12-84, May 2012).\n11\n  DHS-OIG, CBP\xe2\x80\x99sfManagementfControlsfOverfBondedfFacilities (OIG-12-25, January 2012).\n12 DHS-OIG, CBP\xe2\x80\x99sfUsefoffUnmannedfAircraftfSystemsfinfthefNation\xe2\x80\x99sfBorderfSecurity (OIG-12-85, May\n2012).\n\n\n\nwww.oig.dhs.gov                                        8                                             OIG-13-09\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\n\nCBP faces challenges in systematically identifying and flagging potential use of\nfraudulent biographic identities in its US-VISIT system.13 An analysis of data showed\n825,000 instances in which the same fingerprints were associated with different\nbiographic data. These differences ranged from misspelled names and transposed birth\ndates to completely different names and birth dates. In some cases individuals may\nhave supplied different names and dates of birth at ports of entry; in others individuals\nmay have used different biographic identities at a port of entry after they had applied\nfor a visa under a different name or been identified as a recidivist alien. Inaccurate and\ninconsistent information reduces the accuracy of US-VISIT data monitoring and impedes\nthe ability to verify that individuals attempting to enter the United States are providing\ntheir true names and dates of birth.\n\nAccomplishments\nCBP indicated it continues to develop a streamlined and cost-effective process to be\nused by port offices when conducting background vetting of bonded facility applicants,\nofficers and principals. This process will add significant oversight, tracking and reporting\ncapabilities to the background vetting process and will allow CBP to determine the\ncriminal history of any current or prospective bonded facility applicant. According to\nCBP officials, US-VISIT has programs to identify individuals who may have overstayed\nthe condition of their visas and manually analyzes entry and exit data to associate\nfingerprints with biographic information. Stronger oversight of this program will keep\nbetter track of individuals entering the United States.\n\n\nInfrastructure Protection\n\nOverview\nProtecting the Nation\xe2\x80\x99s critical physical and cyber infrastructure is crucial to the\nfunctioning of the American economy and our way of life. Critical infrastructure\nprovides the means and mechanisms by which critical services are delivered to the\nAmerican people; the avenues that enable people, goods, capital, and information to\nmove across the country. The Department leads the effort, in collaboration with\nFederal, State, local, regional, and private sector partners, to enhance the protection\nand resilience of critical infrastructure. Ensuring the security of our critical\ninfrastructure and key resources remains a great challenge.\n\n\n\n13\n  DHS-OIG, US-VISITfFacesfChallengesfinfIdentifyingfandfReportingfMultiplefBiographicfIdentitiesf(OIG-12-\n111, August 2012).\n\n\n\nwww.oig.dhs.gov                                         9                                            OIG-13-09\n\x0c                               OFFICE OF INSPECTOR GENERAL\n                                    Department of Homeland Security\n\n\nChallenges\nCatastrophic failures in critical structures such as dams could affect more than 100,000\npeople and have economic consequences surpassing $10 billion. Yet, the Department\ncould not ensure that risk assessments of dams were conducted or that security risks\nwere identified and mitigated.14 Specifically, the Department did not review all critical\ndam risk assessments conducted by other departments and agencies, did not conduct\nsecurity reviews at 55 percent of critical dams, and did not ensure completion of\ncorrective actions to mitigate risk were completed. Cooperation and collaboration with\nits security partners is essential to DHS\xe2\x80\x99 success in assessing risk and consequently,\nprotecting critical infrastructure such as dams. ThefNationalfInfrastructurefProtectionf\nPlan prescribes a voluntary partnership between the government and the private sector\nto manage such risks. The Department does not have the authority to require dam\nowners to undergo security reviews or implement corrective actions.\n\nDHS\xe2\x80\x99 Federal Protective Service (FPS) is responsible for the safety and security of more\nthan 9,000 Federal facilities; the service employs 1,225 Federal staff members and uses\n15,000 contracted security guards to carry out its mission. In August 2008, FPS funded a\n$21 million, 7-year contract to develop and maintain the Risk Assessment and\nManagement Program (RAMP). RAMP was intended to assess and analyze risks to\nFederal facilities and recommend and track countermeasures, as well as manage post\ninspections, guard contracts, and guard certification compliance. However, in May\n2011, FPS ceased development of RAMP because it was not cost effective and had not\nmet its original goals. In July 2011, the Government Accountability Office (GAO)\nreported that RAMP\xe2\x80\x99s actual costs were more than three times the original $21 million\ndevelopment contract amount, the program was behind schedule, and the system could\nnot be used as intended to complete security assessments or guard inspections. The\ncontract was extended for 1 year to operate and maintain RAMP. Although FPS has\nstopped its development, the system is still being used to manage its guard force, and it\ncontains historical data that FPS wants to retain and maintain. As of August 2012, FPS\nhad determined its data needs and was working with the RAMP vendor to preserve\nhistorical documents and guard-related data. 15 DHS has completed data capture and\ndecommissioned RAMP.\n\nAdditionally, according to an August 2012 GAO report, FPS has not effectively led the\ngovernment facilities sector. 16 It has not obtained data on facilities or coordinated or\nassessed risk, all of which are key to risk management and safeguarding of critical\n14\n   DHS-OIG, DHSfRiskfAssessmentfEffortsfinfthefDamsfSector (OIG-11-110, September 2011).\n15\n   DHS-OIG, FederalfProtectivefService\xe2\x80\x99sfExercisefoffafContractfOptionfforfthefRiskfAssessmentfandff\nManagementfProgramf(OIG-12-67, August 2012).\n16\n   GAO, CriticalfInfrastructure:fDHSfNeedsftofRefocusfitsfEffortsftofLeadfthefGovernmentfFacilitiesff\nSectorf(GAO-12-852, August 2012).f\n\n\n\nwww.oig.dhs.gov                                          10                                             OIG-13-09\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n\nfacilities. Furthermore, FPS has not built effective partnerships across different levels of\ngovernment, needs a dedicated funding line for its activities in this area, and does not\nhave an action plan for protecting facilities.\n\nAccomplishments\nTo improve protection of the Dams Sector, DHS is nearing completion of its OIG-\nrecommended assessment of the appropriateness of a legislative proposal to establish\nregulatory authority for the Dams Sector assets similar to that in the Chemical Sector.\nAt the same time, the Department continues to make strides under the voluntary\nframework. This includes 100 percent completion of Infrastructure Protection\nassessments on privately-owned assets included on the FY 2011 Dams Sector critical\nassets list.\n\nIn regard to RAMP, DHS indicated it has minimized FPS costs and saved the government\nat least $13.2 million by stopping its development and paying the contractor only to\noperate and maintain the program. FPS also leveraged existing technology to develop\nthe Modified Infrastructure Survey Tool nationwide. During the development, FPS\ncontinuously monitored the security posture of Federal facilities by responding to\nincidents, testing countermeasures, and conducting guard post inspections.\nAdditionally, FPS has taken actions to enhance its coordination with sector-specific\nagencies for the government facilities sector. These include establishing new\nrelationships with the State, Local, Tribal and Territorial Government Coordinating\nCouncil to ensure broader state and local participation in sector coordination\nprocedures.\n\n\nDisaster and Preparedness Response\n\nOverview\nThe Federal Emergency Management Agency\xe2\x80\x99s (FEMA) task of coordinating emergency\nsupport following disasters has become more challenging as the number of events to\nwhich it responds has risen each year\xe2\x80\x94from 25 to 70 since 1980. Additionally, FEMA\nspends an average of $4.3 billion each year in its response efforts. Although the agency\nhas improved its disaster response and recovery, challenges remain.\n\n\n\n\nwww.oig.dhs.gov                                 11                                      OIG-13-09\n\x0c                               OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\n\nChallenges\nFEMA faces challenges in determining whether to declare events Federal disasters.\nFEMA uses preliminary disaster assessments to ascertain the impact and magnitude of\ndamage from disasters and the resulting needs of individuals, businesses, the public\nsector, and the community. These assessments also help to determine whether events\nbecome federally declared disasters. In May 2012, we reported that, in deciding\nwhether to declare an event a Federal disaster, FEMA used an outdated indicator that\ndid not accurately measure the ability of State and local governments\xe2\x80\x99 to pay for\ndamages.17 If FEMA had updated the indicator, many recent disasters might not have\nmet the financial conditions for Federal assistance.\n\nIn September 2012, GAO also noted that FEMA needed to improve the criteria it used to\nassess a jurisdiction\xe2\x80\x99s ability to recover from disasters.18 In addition, GAO determined\nthat FEMA had no specific criteria for assessing requests to raise the Federal share for\nemergency work to 100 percent. Finally, FEMA\xe2\x80\x99s administrative costs frequently\nexceeded its targets.\n\nIn evaluating FEMA\xe2\x80\x99s disaster recovery in Louisiana, we determined that only 6.3\npercent of Katrina-related Public Assistance projects had been closed in the 72 months\nsince the hurricane made landfall. 19 As of July 12, 2011, FEMA had obligated $10.2\nbillion in Public Assistance grants to support Louisiana\xe2\x80\x99s recovery from Hurricane\nKatrina. However, projects, especially time critical ones such as Debris Clearance and\nEmergency Work, were years past the closeout deadlines. FEMA, state officials, and\nsubgrantees said the catastrophic damage was the major cause of delay in completing\nand closing out the Public Assistance projects. According to some officials, delays were\nalso due to issues with the Federal Government\xe2\x80\x99s commitment to reimburse Louisiana\nfor 100 percent of all Public Assistance project costs, FEMA\xe2\x80\x99s project procurement\nprocess, the agency\xe2\x80\x99s Public Assistance decision-making, and Louisiana staff resources.\nWe recommended that FEMA develop project management policies, procedures, and\ntimelines for Public Assistance projects that are 100 percent federally funded,\ncoordinate with Louisiana and local governments to evaluate the status of Public\nAssistance projects, and expedite project closures.\n\nFEMA must have a trained, effective disaster workforce to carry out its mission. As part\nof this effort, FEMA has a system to credential, or qualify and certify emergency\n\n17\n   DHS-OIG, OpportunitiesftofImprovefFEMA\xe2\x80\x99sfPublicfAssistancefPreliminaryfDamagefAssessmentfProcess\n\n(OIG-12-79, May 2012).\n\n18\n   GAO, FederalfDisasterfAssistance:fImprovedfCriteriafNeededftofAssessfafJurisdiction\xe2\x80\x99sfCapabilityftoff\n\nRespondfandfRecoverfonfItsfOwn (GAO-12-838, September 2012).\n\n19\n   DHS-OIG, EffortsftofExpeditefDisasterfRecoveryfinfLouisiana (OIG-12-30, January 2012).\n\n\n\n\nwww.oig.dhs.gov                                         12                                            OIG-13-09\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n\nresponse providers through experience, training, and demonstrated performance. At\nthe time of our June 2012 audit, however, FEMA had not completely implemented a\ncredentialing program and had not identified an IT system to track the training,\ndevelopment, and deployment of disaster employees.20 Additionally, the agency did not\nprovide a detailed IT plan, documented costs, project schedule, and capability and/or\nperformance requirements.\n\nOur December 2011 audit report showed that some recipients of FEMA Public\nAssistance grants did not comply with a requirement to obtain and maintain\ninsurance. 21 We also reported that States and FEMA could improve their monitoring\nand oversight to ensure recipients satisfy this requirement and do not receive financial\naid for damages that are, or should be, covered by insurance. State and local\ngovernments are encouraged to obtain insurance to supplement or replace Federal\nGovernment assistance, but the Public Assistance program provides a disincentive to\ncarry insurance. Although FEMA has been aware of this issue for more than 10 years, it\nhas been slow to address it.\n\nProviding the most efficient and cost-effective temporary post-disaster housing has\nbeen a major challenge for FEMA. The deployment of a large number of such housing\nafter Hurricanes Katrina and Rita proved to be difficult. Later, some homes were found\nto contain high levels of formaldehyde, which led to health problems for disaster\nsurvivors. In the aftermath of these disasters, Congress provided FEMA funds to explore\noptions for mitigating future disaster housing issues, including $400 million for an\nAlternative Housing Pilot Program and $1.4 million for the Disaster Housing Pilot\nProject.22\n\nIn the Alternative Housing Pilot Program, it was determined that the units developed\nwere unlikely to match FEMA\xe2\x80\x99s needs for temporary housing. The Disaster Housing Pilot\nProject tested and evaluated 10 different types of housing units and provided options\nfor more cost-effective, future housing, but FEMA put the project on hold because of\ninadequate funding. FEMA also terminated efforts to develop temporary housing units\nwithout indoor air quality issues, although in 2011, these efforts had resulted in model\nunits with acceptable air quality levels. For future disasters, FEMA decided to house\ndisplaced disaster victims exclusively in mobile homes built to Department of Housing\nand Urban Development standards, which will eliminate many past problems. However,\nthese units will likely cost more, are not suitable for flood plains, and will not fit on most\nurban home sites. The inability to use urban sites may hinder FEMA\xe2\x80\x99s capability to\n\n20\n   DHS-OIG, FEMA\xe2\x80\x99sfProgressfinfImplementingfEmployeefCredentials (OIG-12-89, June 2012). \n\n21\n   DHS-OIG, FEMA\xe2\x80\x99sfProcessfforfTrackingfPublicfAssistancefInsurancefRequirements (OIG-12-18, December\n\n2011).\n\n22\n   DHS-OIG, FuturefDirectionsfoffFEMA\xe2\x80\x99sfTemporaryfHousingfAssistancefProgram (OIG-12-20, December\n\n2011).\n\n\n\n\nwww.oig.dhs.gov                                       13                                          OIG-13-09\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n\nrespond quickly to disasters because alternative sites are limited, take more time to\ndevelop, and are frequently blocked by local communities. These sites are also much\nmore expensive than private sites.\n\nAccomplishments\nFEMA continues to work on improving preliminary disaster assessments and recovery\noperations, keeping us informed of the progress made in response to our work. The\nDisaster Housing Pilot Project was created to evaluate innovative housing options by\nusing them as student housing at a FEMA training facility. It is part of the effort to\nidentify and evaluate alternative means of housing disaster survivors as directed by the\nPost-Katrina Act. Although the results of the evaluations are not yet complete, the\nproject is providing a cost-effective means of identifying and testing alternative housing\nunits.\n\nFEMA is also pursuing data collection tools that will provide enhanced capabilities to\nperform Preliminary Damage Assessments (PDA) and record information in an efficient\nand consistent manner. FEMA is assessing the best available options for development\nof such a tool for PDAs, based on efforts to explore development of such a tool and in\nlight of available technologies. Based on the findings of the assessment, FEMA plans to\ndevelop and implement the improved PDA data collection tool in FY13. This will\nimprove PDA data collection, streamline the PDA process through use of an electronic\nsystem for data collection and reporting, and enhance the effectiveness of the PDA\nprocess.\n\nAccording to FEMA, as of October 1, 2012, the FEMA Qualification System (FQS) became\noperational. FQS establishes the system for qualification and certification of the FEMA\nincident workforce through experience, training, and demonstrated performance.\nThroughout the year, milestones have been met to implement this critical program\nalong with our other disaster workforce initiatives. While there will be continued\ndevelopment and expansion of the program FQS has been implemented for the entire\nincident management workforce.\n\nFEMA is implementing other initiatives to improve disaster budgeting and program\nmanagement once a declaration has been made that will enhance FEMA\xe2\x80\x99s ability to\nmanage and budget for expenditures from the Disaster Relief Fund.\n\n\n\n\nwww.oig.dhs.gov                                 14                                     OIG-13-09\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n\n\n          Accountability Issues \n\nAs the third largest agency in the Federal Government, DHS is responsible for managing\na large workforce, and significant Federal resources. DHS is responsible for an annual\nbudget of more than $59 billion, employs more than 225,000 employees and operates\nin more than 75 countries. At its establishment in 2003, DHS faced building a cohesive\nand efficient organization from 22 disparate agencies, while simultaneously performing\nthe critical mission for which it was created. As a whole, DHS has made progress in\ncoalescing into a more effective organization, establishing policies and procedures to set\nthe groundwork for effective stewardship over its resources but challenges remain.\n\n\nAcquisition Management\n\nOverview\nEffective oversight and management of acquisition processes is vital to DHS. At the time\nof our reporting in 2012, the Department had approximately 160 acquisition programs\nwith estimated life cycle costs of more than $144 billion. DHS\xe2\x80\x99 acquisitions were\nnumerous, varied, and complex, including everything from ships, aircraft, and vehicles\nto real estate, computer technology, and maintenance services.\n\nChallenges\nDuring FY 2012, both OIG and GAO conducted audits of acquisition management,\nexamining individual acquisition programs and the underlying policies and procedures.\nWe identified challenges the Department faces in the Secure Border Initiative. For\nexample, along the southwest border, CBP has spent $1.2 billion to construct physical\nbarriers as part of the Secure Border Initiative. As part of that effort, CBP did not\neffectively manage the purchase and storage of steel for fence construction, which cost\nabout $310 million. It purchased steel before legally acquiring land or meeting\ninternational treaty obligations. In addition, CBP did not provide effective contract\noversight, including not paying invoices on time and not reviewing the contractor\xe2\x80\x99s\nselection of a higher-priced subcontractor. As a result of these issues, CBP purchased\nmore steel than needed, incurred additional storage costs, paid interest on late\n\n\n\n\nwww.oig.dhs.gov                                15                                     OIG-13-09\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n\npayments, and approved a higher-priced subcontractor, resulting in expenditures of\nnearly $69 million that could have been put to better use.23\n\nA November 2011 GAO review of the subsequent southwest border strategy, the\nArizona Border Surveillance Technology Plan, showed that DHS did not document the\nanalysis justifying the specific types, quantities, and deployment locations of border\nsurveillance technologies proposed in the plan.24 Without documentation DHS was\nhindered in its ability to verify that processes were followed, identify underlying\nanalyses, assess the validity of the decisions made, and justify the requested funding.\n\nAcquisition and resource management will continue to be a challenge for the United\nStates Coast Guard (USCG) as it strengthens acquisition management capabilities and\ndevelops acquisition program baselines for each asset. According to GAO, the approved\nbaselines for 10 of 16 programs did not reflect cost and schedule plans because\nprograms breached the cost or schedule estimates in those baselines, changed in scope,\nor were not expected to receive funding to execute baselines as planned.25 According to\nDHS, during 2012, two USCG program baselines were approved by DHS, two are pending\nDHS approval, and one is in USCG routing.\n\nSince 2003, under a program to replace its aging HU-25 Falcon fleet, the USCG has taken\ndelivery of 13 Ocean Sentry Maritime Patrol medium-range surveillance aircraft. In\nmost instances, the USCG awarded the Ocean Sentry Maritime Patrol aircraft contracts\neffectively. However, it could have improved its oversight of the latest contract,\nawarded in July 2010 to the European Aeronautic Defense and Space Company North\nAmerica for three aircraft valued at nearly $117 million. For this contract, the USCG was\naware of conclusions by the Defense Contract Audit Agency regarding non-chargeable\ncosts and noncompliance with the Federal Acquisition Regulation by the subcontractor,\nEuropean Aeronautic Defense and Space Company/Construcciones Aeron\xc3\xa1uticas\nSociedad An\xc3\xb3nima. The USCG was aware of the conclusions, and could have conducted\nadditional follow up to ensure that the subcontractor had implemented\nrecommendations made by the Defense Contract Audit Agency. The USCG also did not\nobtain sufficient support to ensure it excluded non-chargeable costs when awarding the\nlatest contract.26\n\n\n\n\n23\n   DHS-OIG, U.S.fCustomsfandfBorderfProtection\xe2\x80\x99sfManagementfoffthefPurchasefandfStoragefoffSteelfinf\n\nSupportfoffthefSecurefBorderfInitiative (OIG-12-05, November 2011).\n\n24\n   GAO-OIG, ArizonafBorderfSurveillancefTechnology:fMorefInformationfonfPlansfandfCostsfIsfNeededf\n\nBeforefProceeding (GAO-12-22, November 2012).\n\n25\n   GAO, CoastfGuard:fPortfoliofManagementfApproachfNeededftofImprovefMajorfAcquisitionfOutcomes\n\n(GAO-12-918, September 2011). \n\n26\n   DHS-OIG, U.S.fCoastfGuard\xe2\x80\x99sfMaritimefPatrolfAircraft (OIG-12-73, April 2012).\n\n\n\n\nwww.oig.dhs.gov                                       16                                           OIG-13-09\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n\nThe Department continues to face challenges in integrating the 22 disparate legacy\nagencies and these challenges have a direct effect on acquisition management\ndecisions. According to a September 2012 GAO report, DHS acquisition policy does not\nfully reflect several key portfolio management practices, such as allocating resources\nstrategically, and DHS has not yet re-established an oversight board to manage its\ninvestment portfolio across the Department.27 For example, there have been numerous\nefforts to find efficiencies between CBP\xe2\x80\x99s and USCG\xe2\x80\x99s aviation fleets. The Secretary\xe2\x80\x99s FY\n2013 budget emphasized consolidating and streamlining systems and operations to\nensure cost savings. In a March 2012 hearing, the Secretary highlighted efforts to\nincrease the effectiveness of DHS\xe2\x80\x99 aviation assets through increased coordination and\ncollaboration. In 2010, CBP and the USCG signed a joint strategy to unify their aviation\nmanagement information systems. However, as of July 2012, CBP planned to acquire a\nnew, separate IT system for its aircraft, which would continue past practices of\nobtaining disparate systems that did not share information with other components,\nincluding the USCG. We recommended that CBP terminate this planned acquisition and\ntransition its aviation logistics and maintenance tracking to the USCG\xe2\x80\x99s system, in\naccordance with the Secretary\xe2\x80\x99s efficiency initiatives and the joint strategy. By\ntransitioning to the USCG\xe2\x80\x99s system, CBP could improve the effectiveness of aviation\nmanagement information tracking and save more than $7 million.28\n\nAccomplishments\nAccording to DHS, it has made progress in improving program governance, increasing\ninsight into program performance, and building acquisition and program management\ncapabilities. DHS has implemented requirements for tiered acquisition program reviews\nintended to increase its ability to identify and mitigate program risk. The Department\nhas also implemented a Decision Support Tool to provide visibility into program health\nand has established Centers of Excellence to provide guidance.\n\nIn August, 2012, we reported that DHS was progressing toward the implementation of\nan information technology infrastructure at the St. Elizabeth\xe2\x80\x99s Campus in Washington,\nDC.29 Specifically, DHS partnered with the General Services Administration to use its\ninteragency information technology contracting vehicles. The General Services\nAdministration also awarded a task order on behalf of DHS to acquire information\ntechnology resources for the Technology Integration Program.\n\n\n\n27\n   GAO, DHSfRequiresfMorefDisciplinedfInvestmentfManagementftofHelpfMeetfMissionfNeedsf(GAO-12-\n833, September 2012). \n\n28\n   DHS-OIG, CBPfAcquisitionfoffAviationfManagementfTrackingfSystem (OIG-12-104, August 2012).\n\n29\n   DHS-OIG, AdherenceftofAcquisitionfManagementfPoliciesfWillfHelpfReducefRisksftofthefTechnologyf\n\nIntegrationfProgram, (OIG-12-107, August 2012). \n\n\n\n\nwww.oig.dhs.gov                                       17                                          OIG-13-09\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n\nThe Department has created an Acquisition Workforce Development initiative to\nimprove its acquisition workforce. This initiative includes expanding training\nopportunities and offering certification programs in Cost Estimating, Program Financial\nManagement, Life Cycle Logistics, and Test and Evaluation and Systems Engineering.\nWhen the outcomes of this initiative are achieved the Department\xe2\x80\x99s acquisition\nworkforce will be ready to acquire and sustain the systems and services necessary to\nsecure the homeland, while ensuring that the Department and taxpayers received the\nbest value for the expenditure of public resources.\n\n\nFinancial Management\nOverview\nThe Federal Government has a fundamental responsibility to be an effective steward of\ntaxpayer dollars. Sound financial practices and related management operations are\ncritical to achieving the Department\xe2\x80\x99s mission and to providing reliable, timely financial\ninformation to support management decision-making throughout DHS. Congress and\nthe public must be confident that DHS is properly managing its finances to minimize\ninefficient and wasteful spending, make informed decisions to manage government\nprograms, and implement its policies.\n\nAlthough DHS produced an auditable balance sheet and statement of custodial activity\nin FY 2011 and obtained a qualified opinion on those statements, challenges remain for\nthe Department\xe2\x80\x99s financial management. Achieving a qualified opinion resulted from\nconsiderable effort by DHS employees, rather than through complete implementation of\na reliable system of control over financial reporting. As a result of DHS obtaining a\nqualified opinion on its balance sheet and statement of custodial activity in FY 2011, the\nscope of the FY 2012 audit was increased to include statements of net cost, changes in\nnet position, and combined statement of budgetary resources.\n\n\nChallenges\n\nManagerial Cost Accounting\n\nThe Department does not have the ability to provide timely cost information by major\nprogram, and by strategic and performance goals. The Department\xe2\x80\x99s financial\nmanagement systems do not allow for the accumulation of costs, at the consolidated\nlevel, by major program, nor allow for the accumulation of costs by responsibility\nsegments directly aligned with the major goals and outputs described in each entity\xe2\x80\x99s\nstrategic and performance plan. Further, the Department needs to develop a plan to\n\n\nwww.oig.dhs.gov                                 18                                     OIG-13-09\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\nimplement managerial cost accounting, including necessary information systems\nfunctionality. Currently, the Department must use manual data calls to collect cost\ninformation from the various components and compile consolidated data.\n\nOIG conducted several audits during FY 2012 and identified a number of components\nthat did not have the ability to provide various cost data when requested. For example:\n   \xe2\x80\xa2\t During the audit of TSA\xe2\x80\x99s Aviation Channeling Service Provider program (OIG 12-\n      132-AUD-TSA) we learned that TSA did not track and report all project costs\n      related to the program. According to TSA program officials, it was impossible to\n      provide exact costs because the expenditures were not tracked in detail.\n   \xe2\x80\xa2\t During the audit examining CBP\xe2\x80\x99s acquisition and conversion of H-60 helicopters\n      (OIG 12-102-AUD-CBP), CBP officials received high-level cost information from\n      the U.S. Army, but it did not include the detail necessary to adequately oversee\n      the CBP H-60 programs. For example, the Army conducted approximately\n      15,000 tests on CBP H-60 components, but CBP could not identify the tests that\n      were completed or the specific costs. In addition, for each CBP H-60 helicopter,\n      financial data from three sources listed a different total cost for each helicopter.\n   \xe2\x80\xa2\t During the audit of CBP\xe2\x80\x99s use of radiation portal monitors at seaports (OIG 12-\n      033-AUD-CBP), we found instances in which the acquisition values for the\n      monitors were incorrect and could not be supported.\n\nAnti-Deficiency Act Violations\n\nThe Department continues to have challenges in complying with the Anti-Deficiency Act\n(ADA). As of September 30, 2012, the Department and its components reported five\npotential ADA violations in various stages of review, including one potential ADA\nviolation identified in FY 2012, which the Department is currently investigating. The\nfour other ADA violations involve: (1) expenses incurred before funds were committed\nor obligated; (2) pooled appropriations to fund shared services; (3) a contract awarded\nbefore funds had been re-apportioned; and (4) improper execution of the obligation and\ndisbursement of funds to lease passenger vehicles.\n\nFinancial Statement Audit\n\nThe following five items show the status of DHS\xe2\x80\x99 effort to address internal control\nweaknesses in financial reporting. These were identified as material weaknesses in the\nFY 2011 independent audit of DHS\xe2\x80\x99 consolidated balance sheet and statement of\ncustodial activity. All five material weaknesses remain in FY 2012.\n\n\n\n\nwww.oig.dhs.gov                                19                               \t       OIG-13-09\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n\n\nFinancial Reporting\n\nFinancial reporting presents financial data on an agency\xe2\x80\x99s financial position, its\noperating performance, and its flow of funds for an accounting period.\n\nIn FY 2011 the USCG, USCIS, and TSA contributed to the material weakness in this area.\nWhile some findings reported in FY 2011 were corrected, other findings at USCG and\nTSA remained in FY 2012. Also, in FY 2012, new financial reporting findings were\nidentified at ICE.\n\nAs in the previous year, the auditors reported this year that the USCG does not have\nproperly designed, implemented, and effective policies, procedures, processes, and\ncontrols surrounding its financial reporting process. The USCG uses three general\nledgers, developed over a decade ago. This legacy system has severe functional\nlimitations that contribute to its ability to address systemic internal control weaknesses\nin financial reporting, strengthen the control environment, and comply with relevant\nFederal financial system requirements and guidelines.\n\nThe auditors identified deficiencies that remain in some financial reporting processes at\nTSA. For example, there are weak or ineffective controls in some key financial reporting\nprocesses, of the management\xe2\x80\x99s quarterly review of the financial statements, and in\nsupervisory reviews over journal vouchers. In addition, TSA has not fully engaged\ncertain program and operational personnel and data into the financial reporting process\nand is not fully compliant with the United States Government Standard General Ledger\nrequirements at the transaction level. In recent years, TSA implemented several new\nprocedures and internal controls to correct known deficiencies, but some procedures\nstill require modest improvements to fully consider all circumstances or potential errors.\nThe control deficiencies contributed to substantive and classification errors reported in\nthe financial statements and discovered during the audit.\n\nDuring FY 2012, the auditors noted financial reporting control weaknesses at ICE,\nprimarily resulting from expanded audit procedures for the full-scope financial\nstatement audit. ICE has not fully developed sufficient policies, procedures, and internal\ncontrols for financial reporting. It also needs adequate resources to respond to audit\ninquiries promptly, accurately, and with the ability to identify potential technical\naccounting issues. ICE faces challenges in developing and maintaining adequate lines of\ncommunication within its Office of Financial Management and among its program\noffices. Communication between financial managers and personnel responsible for\ncontributing to financial reports was not sufficient to consistently generate clear and\nusable information. In addition, ICE does not have sufficient coordination with IT\n\n\n\n\nwww.oig.dhs.gov                                 20                                     OIG-13-09\n\x0c                           OFFICE OF INSPECTOR GENERAL\n                               Department of Homeland Security\n\n\npersonnel, including contractors, who are responsible for generating certain financial\nreports.\nInformation Technology Controls and Financial Systems Functionality\n\nIT general and application controls are essential to effective and reliable reports of\nfinancial and performance data.\nDuring the FY 2011 financial statement audit, the independent auditor noted that the\nDepartment remediated 31 percent of the prior year IT findings. The most significant FY\n2011 weaknesses include: (1) excessive unauthorized access to key DHS financial\napplications, resources, and facilities; (2) configuration management controls that are\nnot fully defined, followed, or effective; (3) security management deficiencies in the\ncertification and accreditation process and an ineffective program to enforce role-based\nsecurity training and compliance; (4) contingency planning that lacked current, tested\ncontingency plans developed to protect DHS resources and financial applications; and\n(5) improperly segregated duties for roles and responsibilities in financial systems. These\ndeficiencies negatively affected the internal control over DHS\xe2\x80\x99 financial reporting and its\noperation and contributed to the FY 2011 financial management and reporting material\nweakness.\n\nFor FY 2012, DHS made some progress in correcting the IT general and application\ncontrol weaknesses identified in FY 2011. DHS and its components remediated 46\npercent of the prior year IT control weaknesses, with CBP, FEMA, and TSA making the\nmost progress in remediation. Although CBP and FEMA made progress in correcting\ntheir prior year issues, in FY 2012, the most new issues were noted at these two\ncomponents. New findings resulted primarily from new IT systems and business\nprocesses that came within the scope of the FY 2012 financial statement audit and that\nwere noted at all DHS components.\n\nThe auditors noted many cases in which financial system functionality inhibits DHS\xe2\x80\x99\nability to implement and maintain internal controls, notably IT application controls\nsupporting financial data processing and reporting. As a result, ongoing financial system\nfunctionality limitations are contributing to the Department\xe2\x80\x99s challenge to address\nsystemic internal control weaknesses and strengthen the overall control environment.\n\nIn FY 2012, five IT control weaknesses remained and presented risks to the\nconfidentiality, integrity, and availability of DHS\xe2\x80\x99 financial data: (1) access controls; (2)\nconfiguration management; (3) security management; (4) contingency planning; and (5)\nsegregation of duties.\n\nProperty, Plant and Equipment\n\n\n\n\nwww.oig.dhs.gov                                  21                                       OIG-13-09\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n\nDHS capital assets and supplies consist of items such as property, plant, and equipment\n(PP&E) operating materials, as well as supplies, including boats and vessels at the USCG,\npassenger and baggage screening equipment at TSA, and stockpiles of inventory to be\nused for disaster relief at FEMA. The USCG maintains approximately 50 percent of all\nDHS PP&E.\n\nDuring FY 2011, TSA, the USCG, CBP, and the Management Directorate contributed to a\ndepartmental material weakness in PP&E. During FY 2012, TSA and Management\nDirectorate substantially completed corrective actions in PP&E accounting processes. In\nFY 2012, the USCG continued to remediate PP&E process and control deficiencies,\nspecifically those associated with land, buildings and other structures, vessels, small\nboats, aircraft, and construction in process. However, remediation efforts were not fully\ncompleted in FY 2012. The USCG had difficulty establishing its opening PP&E balances\nand accounting for leases, primarily because of poorly designed policies, procedures,\nand processes implemented more than a decade ago, combined with ineffective internal\ncontrols and IT system functionality difficulties.\n\nAs in prior years, CBP has not fully implemented policies and procedures, or does not\nhave sufficient oversight of its adherence to policies and procedures, to ensure that all\nPP&E transactions are recorded promptly and accurately, or to ensure that all assets are\nrecorded and properly valued in the general ledger. Further in FY 2012, ICE did not have\nadequate processes and controls in place to identify internal-use software projects that\nshould be considered for capitalization.\n\nEnvironmental and Other Liabilities\n\nLiabilities are the probable and measurable future outflow or other sacrifice of\nresources resulting from past transactions or events. The internal control weaknesses\nreported in this area are related to various liabilities, including environmental, accounts\npayable, legal, and accrued payroll and benefits.\n\nThe USCG\xe2\x80\x99s environmental liabilities represent approximately $500 million or 75 percent\nof total DHS environmental liabilities. The USCG completed the final phases of a multi-\nyear remediation plan to address process and control deficiencies related to\nenvironmental liabilities later in FY 2012. However, the USCG did not implement\neffective controls to ensure the completeness and accuracy of all underlying data\ncomponents used to calculate environmental liability balances. Further, the USCG did\nnot have documented policies and procedures to update, maintain, and review\nschedules to track environmental liabilities (e.g., Formerly Used Defense Sites) for which\nit was not primarily responsible at the Headquarters level. Additionally, the USCG did\nnot effectively implement existing policies and procedures to validate the prior year\naccounts payable estimate.\n\n\n\nwww.oig.dhs.gov                                 22                                      OIG-13-09\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n\n\n\nBudgetary Accounting\n\nBudgetary accounts are general ledger accounts for recording transactions related to\nthe receipt, obligation, and disbursement of appropriations and other authorities to\nobligate and spend agency resources. DHS has numerous sources and types of budget\nauthority, including annual, multi-year, no-year, and permanent and indefinite\nappropriations, as well as several revolving, special, and trust funds. Timely and\naccurate accounting for budgetary transactions is essential to managing Department\nfunds and preventing overspending.\n\nThe USCG implemented corrective actions plans over various budgetary accounting\nprocesses in FY 2012; however, some control deficiencies reported in FY 2011 remain,\nand new deficiencies were identified. Although FEMA also continued to improve its\nprocesses and internal controls over the obligation and monitoring process, some\ncontrol deficiencies remain.\n\nAs the financial service reporting provider, ICE is responsible for recording budgetary\ntransactions and administers budgetary processes across different types of funds at the\nNational Protection and Programs Directorate, Science and Technology Directorate,\nManagement Directorate, and Office of Health Affairs. In FY 2011, ICE identified and\nbegan remediating deficiencies in the financial management system that impact\naccounting transactions such as positing logic related to adjustments of prior year\nunpaid, undelivered orders. In FY 2012, ICE continued to address these issues with\ncertain types of obligations.\n\n\nAccomplishments\nThe Department continues to work on improving financial reporting. In FY 2012, DHS\nreceived a qualified opinion on its financial statements. Improvements were seen at\nvarious components. For example, USCIS corrected control deficiencies in financial\nreporting that contributed to the overall material weakness. Likewise, TSA made\nsignificant progress in addressing PP&E, removing its contribution to the Department\xe2\x80\x99s\nmaterial weakness. Further, the USCG continued to make financial reporting\nimprovements in FY 2012 by completing its planned corrective actions over selected\ninternal control deficiencies. These remediation efforts allowed management to make\nnew assertions in FY 2012 related to the auditability of its financial statement balances.\nIn addition, management was able to provide a qualified assurance of internal control\nover financial reporting in FY 2012.\n\n\n\n\nwww.oig.dhs.gov                                 23                                     OIG-13-09\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n\nAccording to DHS\xe2\x80\x99 Office of Financial Management, there is improved access to and\nbetter quality of financial management information. The Department has implemented\nbusiness intelligence tools to help organize, store, and analyze data more efficiently.\nAccording to the office, the Department can now take information from individual\nbudgets and display it for the enterprise, allowing views of DHS\xe2\x80\x99 budget allocation by\nmission area. Additionally, the Department is developing management tools (Decision\nSupport Tool) to help compile department-wide program cost information. The\nDecision Support Tool should provide a central dashboard to assess and track the health\nof acquisition projects, programs, and portfolios by showing key indicators of program\nhealth, such as cost, funding, and schedule.\n\n\n\nIT Management\nOverview\nAs technology constantly evolves, the protection of the Department\xe2\x80\x99s IT infrastructure\nbecomes increasingly more important. The Department\xe2\x80\x99s Chief Information Officer\n(CIO) has taken steps to mature IT management functions, improve IT governance, and\nintegrate IT infrastructure. Specifically, at the Department level, the CIO has increased\nIT governance oversight and authority by reviewing component IT programs and\nacquisitions. Although the Department\xe2\x80\x99s documented processes were still draft, these\nsteps have enabled the CIO to make strategic recommendations to reduce costs and\nduplication through activities such as infrastructure integration, as well as data center\nand network consolidation.\n\nChallenges\nSeveral DHS components continue to face IT management challenges. For example, in a\nNovember 2011 audit, we reported that USCIS delayed implementing its transformation\nprogram because of changes in the deployment strategy and system requirements that\nwere insufficiently defined prior to selecting the IT system solution.30 Other challenges,\nsuch as the governance structure, further delayed the program. As a result, USCIS\ncontinued to rely on paper-based processes to support its mission, which made it\ndifficult for the component to process immigration benefits efficiently, combat identity\nfraud, and provide other government agencies with information to identify criminals\nand possible terrorists quickly. USCIS took steps to address some of these challenges by\nmoving to an agile development approach, instead of a \xe2\x80\x9cwaterfall\xe2\x80\x9d process. This change\n\n30\n  DHS-OIG, U.S.fCitizenshipfandfImmigrationfServices\xe2\x80\x99fProgressfinfTransformation (OIG-12-12, November\n2011).\n\n\n\nwww.oig.dhs.gov                                       24                                          OIG-13-09\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\nimproved program monitoring and governance and increased the focus on staffing \n\nissues. \n\nAccording to a June 2012 audit, CBP needs to address systems availability challenges, \n\ndue in part to an aging IT infrastructure.31 Limited interoperability and functionality of \n\nthe technology infrastructure made it difficult to fully support CBP mission operations. \n\nAs a result, CBP employees chose to use alternative solutions, which may have hindered \n\nCBP\xe2\x80\x99s ability to accomplish its mission and ensure officer safety. \n\n\nDHS has matured key information IT functions, such as portfolio management. \n\nHowever, in May 2012, we reported that recruiting people with the necessary skills to \n\nperform certain management functions remains a challenge. Also, DHS needs to \n\nimprove its budget review process so that the CIO can identify and resolve issues before \n\ncomponents finalize their IT investments.32 In addition, GAO reported in July 2012 that \n\nDHS had a vision for its new IT governance process, which included a tiered oversight \n\nstructure with distinct roles and responsibilities throughout the Department. However, \n\nDHS\xe2\x80\x99 IT governance policies and procedures were not finalized, which meant less \n\nassurance that its new IT governance would consistently support best practices and \n\naddress previously identified weaknesses in investment management.33\n\n\nCBP needs to improve its compliance with Federal privacy regulations. It also needs to \n\nestablish an Office of Privacy with appropriate resources and staffing. Although DHS has \n\na directive to ensure compliance with all privacy policies and procedures issued by the \n\nChief Privacy Officer, an April 2012 audit disclosed that CBP made limited progress \n\ntoward instilling a culture of privacy that protects sensitive personally identifiable \n\ninformation.34 Without a component-wide approach that minimizes the collection of \n\nemployee Social Security numbers, privacy incidents involving these numbers will \n\ncontinue to occur. \n\n\nAccomplishments\nThe Department has created initiatives to improve IT Program Governance and\nInformation Security. These programs are designed to prioritize programs to meet\nDepartment business needs, eliminate duplicate functions and systems, increase\nprogram accountability and strengthen internal controls.35 Progress has been made to\n\n\n31\n   DHS-OIG, CBPfInformationfTechnologyfManagement:fStrengthsfandfChallenges (OIG-12-95, June 2012).\n32\n   DHS-OIG, DHSfInformationfTechnologyfManagementfHasfImproved,fButfChallengesfRemain (OIG-12-82,\nMay 2012).\n33\n   GAO, DHSfNeedsftofFurtherfDefinefandfImplementfItsfNewfGovernancefProcess (GAO-12-818, July 2012).\n34\n   DHS-OIG, U.S.fCustomsfandfBorderfProtectionfPrivacyfStewardship (OIG-12-78, April 2012).\n35\n   DHS, IntegratedfStrategyfforfHighfRiskfManagement:fImplementationfandfTransformation (June 2012).\n\n\n\nwww.oig.dhs.gov                                      25                                          OIG-13-09\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n\nmeet the goals of these initiatives and once fully achieved, the Department will have\nincreased accountability for its information technology programs.\n\nAccording to DHS, the CIO has created performance measures to help establish\naccountability and determine progress and accomplishments in IT Program\nGovernance. For example, one measure is the number of IT segments covered by\nportfolio governance. Since IT segments represent a subset of the Department\xe2\x80\x99s\nmission and a business portfolio, this measure has resulted in an increase in the number\nof IT functions that have governance in place. In the beginning of FY 2012, only 5 of 30\nIT segments were covered by portfolio governance. By the end of FY 2012, the Office of\nthe CIO achieved its target to attain portfolio governance for 10 of 30 (33 percent) IT\nsegments. By the end of FY 2013, the office will capture an additional 5 segments to\nreach its goal of 50 percent (15 of 30). By FY 2016, the goal is to have all 30 functional\nareas with IT governance.\n\n\n\nGrants Management\nOverview\nMore than $35 billion in homeland security grants have been provided over the past 10\nyears to States, territories, local, and tribal governments to enhance capabilities to plan,\nprepare for, prevent, respond to, and recover from natural disasters, acts of terrorism,\nand other manmade disasters. In grants management, FEMA is challenged to ensure\nthe grants process is transparent, efficient, and effective. FEMA must also provide\noversight to a large number of geographically dispersed grant recipients to ensure\nFederal funds are used for their intended purposes.\n\nChallenges\nFEMA can improve its efforts in strategic planning, performance measurement,\noversight, and sustainment, including tracking States\xe2\x80\x99 milestones and accomplishments\nfor homeland security grant-funded programs. FEMA needs to improve its strategic\nmanagement guidance for State Homeland Security Grants. In our most recent Annualf\nReportftofCongress, we summarized State Homeland Security strategies and identified\ndeficiencies related to measurable goals and objectives. Although current guidance for\nState Homeland Security strategies encourage revisions every 2 years, such revisions are\nnot required. Additionally, we identified State Homeland Security strategies that do not\nhave goals and objectives that are specific, measurable, achievable, results-oriented,\nand time-limited. Without a measurable goal or objective, or a process to gather results\noriented data, States may not be assured that their preparedness and response\n\n\nwww.oig.dhs.gov                                 26                                      OIG-13-09\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\ncapabilities are effective. States are also less capable of determining progress toward\ngoals and objectives when making funding and management decisions.\n\nFEMA has not provided sufficient guidance on establishing metrics and measuring\nperformance. Our audits show that States continue to need the proper guidance and\ndocumentation to ensure accuracy or track milestones. Providing guidance on the\nappropriate metrics and requiring documentation of those metrics would help States\nunderstand the effectiveness of each grant program.\n\nFEMA also needs to strengthen its guidance on reporting progress in achieving\nmilestones as part of the States\xe2\x80\x99 annual program justifications. We determined that\nStates\xe2\x80\x99 milestones for these continuing investment programs could not be compared to\nthose in previous years\xe2\x80\x99 applications. Additionally, the status of the previous year\nmilestones was not always included in applications. Because of these weaknesses,\nFEMA could not determine, from the annual application process, whether a capability\nhad been achieved, what progress had been made, or how much additional funding was\nneeded to complete individually justified programs. Without this information, FEMA\ncould not be assured it made sound investment decisions.\n\nBecause of insufficient information on milestones and program accomplishments, FEMA\nannually awarded Homeland Security Grant Program funds to States for ongoing\nprograms without knowing the accomplishments from prior years\xe2\x80\x99 funding or the extent\nto which additional funds were needed to achieve certain capabilities. Tracking\naccomplishments and milestones are critical to making prudent management decisions\nbecause of the changes that can occur between years or during a grant\xe2\x80\x99s period of\nperformance.\n\nFEMA needs to improve its oversight to ensure States are meeting their reporting\nobligations in a timely manner so that the agency has the information it needs to make\nprogram decisions and oversee program achievements. Improved oversight will also\nensure that States are complying with Federal regulations on procurements and\nsafeguarding of assets acquired with Federal funds. In our annual audits of the State\nHomeland Security Program, we repeatedly identified weaknesses in the States\xe2\x80\x99\noversight of grant activities. Those weaknesses include inaccuracies and untimely\nsubmissions of financial status reports; untimely allocation and obligation of grant\nfunds; and not following Federal procurement, property, and inventory requirements.\n\nDelays in the submission of Financial Status Reports may have hampered FEMA\xe2\x80\x99s ability\nto monitor program expenditures effectively and efficiently. They may also have\nprevented the States from drawing down funds in a timely manner and ultimately\naffected the functioning of the program. Delays also prevented the timely delivery of\nplans, equipment, exercises, and training for first responders.\n\n\n\nwww.oig.dhs.gov                                27                                     OIG-13-09\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n\n\nIn our audits in FYs 2011 and 2012, we noticed an emerging trend with issues related to\nprogram sustainment. States did not prepare contingency plans addressing potential\nfunding shortfalls when DHS grant funding was significantly reduced or eliminated. In\nan era of growing budget constraints it is important to use resources for projects that\ncan be sustained. FEMA addressed this issue in its FY 2012 grant guidance by focusing\non sustainment rather than new projects.\n\nAccomplishments\nAlthough significant issues in grants management remain, progress has been made. In\nmost instances, audited States efficiently and effectively fulfilled grant requirements,\ndistributed grant funds, and ensured available funds were used. The States also\ncontinued to use reasonable methodologies to assess threats, vulnerabilities,\ncapabilities, and needs, as well as allocate funds accordingly. Our audits have identified\nseveral effective tools and practices used by some States that could benefit all States;\nFEMA and the States also willingly shared information. FEMA has been responsive to\nour recommendations and the agency is taking action to implement those\nrecommendations. At the Headquarters level, DHS is establishing a governance body\nthat will determine high-risk areas such as those cited above, develop strategies to\nmitigate those risks and employ standardized formats, templates, and processes to\nensure consistent financial assistance activities throughout DHS. Some of these\nstandardized templates and processes are already in place.\n\n\n\nEmployee Accountability and Integrity\nOverview\nThe smuggling of people and goods across the Nation\xe2\x80\x99s borders is a large scale business\ndominated by organized criminal enterprises. The Mexican drug cartels today are more\nsophisticated and dangerous than any other organized criminal groups in our law\nenforcement experience. Drug trafficking organizations are becoming increasingly more\ninvolved in systematic corruption of DHS employees to further alien and drug smuggling.\nThe obvious targets of corruption are front line Border Patrol Agents and CBP officers;\nless obvious are those employees who can provide access to sensitive law enforcement\nand intelligence information, allowing the cartels to track investigative activity or vet\ntheir members against law enforcement databases. Although the number of DHS\nemployees implicated in such enterprises is very small \xe2\x80\x94 less than 1 percent \xe2\x80\x94 the\ndamage from even one corrupt employee represents a significant management\nchallenge to the Department.\n\n\nwww.oig.dhs.gov                                 28                                     OIG-13-09\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n\n\nBorder corruption affects national security. As demonstrated by investigations led by\nour investigators, border corruption may consist of cash bribes, sexual favors, or other\ngratuities in return for allowing contraband or undocumented aliens through primary\ninspection lanes; orchestrating illegal border crossings; leaking sensitive law\nenforcement information to persons under investigation; selling law enforcement\nintelligence to smugglers; and providing needed documents such as immigration papers.\nCorrupt employees most often are paid not to inspect, as opposed to allowing\nprohibited items, such as narcotics, to pass into the U.S. A corrupt DHS employee may\naccept a bribe for allowing what appears to be simply undocumented aliens into the\nU.S. while unwittingly helping terrorists enter the country. Likewise, what seems to be\ndrug contraband could be weapons of mass destruction, such as chemical or biological\nweapons, or bomb-making material.\n\nChallenges\nWe have seen a 95 percent increase in complaints against CBP employees alone since FY\n2004 and a 25 percent increase from just fiscal year 2010 to 2011. In FY 2011, we\nreceived and disposed of 17,998 allegations involving all DHS employees. As of July 15,\n2012, we had 1,591 open cases. Corruption-related allegations are a priority of the\nOffice of Investigations, which opens 100 percent of all credible allegations of\ncorruption it receives. The majority of both complaints received and investigations\ninitiated by the OIG, however, are for allegations of other than corruption-related\nactivity.\n\nSince FY 2004, our investigations have resulted in 358 CBP related convictions and 166\nICE related convictions. In one case, we received information that a CBP Officer was\nusing his position at a large urban airport to support an international drug trafficking\norganization. Our investigators joined a multiagency investigation, led by the ICE Office\nof Professional Responsibility (OPR), which resulted in the dismantling of the entire drug\ntrafficking organization and the arrest of multiple offenders, including the CBP Officer.\nOn at least 19 separate occasions, the CBP Officer had bypassed airport security using\nhis own badge to smuggle money and weapons for the drug traffickers. In December\n2010, he was convicted and sentenced to 8 years in prison.\n\nA Border Patrol Agent at the Sonoita, Arizona, Border Patrol Station, was observed\nacting suspiciously while questioning others about the technology used to interdict\nsmugglers. The agent had only entered on duty at Sonoita in March 2009, shortly after\ngraduating from the Border Patrol Academy. We opened an investigation and\ndeveloped evidence that the agent had sold to a purported drug trafficker sensor maps,\ntrail maps, landmarks, and terminology used by the Border Patrol to combat smuggling.\nEvidence showed that on at least four occasions, the agent accepted bribes totaling\n\n\nwww.oig.dhs.gov                                29                                     OIG-13-09\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n\naround $5,000. The agent was arrested in October 2009. On August 12, 2010, he pled\nguilty in Federal court to one count of bribery. On May 3, 2011, he was sentenced to 20\nmonths incarceration, 36 months supervised release, and was ordered to pay restitution\nin the amount of $5,500.\n\nProper filing of Office of Government Ethics (OGE) forms is vital to ensuring public trust\nin high-level Federal officials and executive branch employees. In FY 2012, auditors\nobserved that the ethics management function at DHS is decentralized. Ethics officials\nin each component\xe2\x80\x99s Office of Counsel are delegated the authority to implement ethics\nprogram requirements in their component. The Headquarters Ethics Office did not have\ninternal written policies and procedures to ensure required financial disclosure reports\nwere received, reviewed, and certified within the timelines established by OGE. The\nauditors discovered that some employees were submitting forms late, ethics officials\nwere not certifying them timely, and in some cases, employees did not submit the\nrequired forms.\n\nAdditionally, TSA reported that an attorney-advisor had backdated employee public\nfinancial disclosure forms provided to the auditors in the prior year so the forms\nappeared to comply with the OGE requirements. According to a DHS ethics official,\nTSA\xe2\x80\x99s management acted promptly to report this information and to rescind the\nattorney\xe2\x80\x99s ethics authority and to reassign the attorney, as well as his first and second\nline supervisors to other work. The attorney subsequently resigned from TSA on the day\nhe was scheduled to be interviewed by TSA\'s Office of Inspection.\n\nAccomplishments\nWithin DHS, the primary authority for investigating allegations of criminal misconduct by\nDHS employees lies with OIG; ICE OPR has authority to investigate those allegations\ninvolving employees of ICE and CBP. The components play a crucial, complementary\nrole to our, as well as, ICE OPR investigative function. The components focus on\npreventive measures to ensure the integrity of the DHS workforce through robust pre-\nemployment screening of applicants, including polygraph examinations at CBP;\nthorough background investigations of employees; and integrity and security briefings\nthat help employees recognize corruption signs and dangers. These preventive\nmeasures are critically important in fighting corruption and work hand-in-hand with\nOIG\xe2\x80\x99s criminal investigative activities.\n\nCongress recognized the importance of these complementary activities by enacting the\nAnti-BorderfCorruptionfActfoff2010. This Act requires CBP, by January 4, 2013, to\nadminister applicant screening polygraph examinations to all applicants for employment\nin law enforcement positions prior to hiring. CBP met this goal in October 2012. The\nAct also requires CBP to initiate timely periodic background reinvestigations of CBP\n\n\nwww.oig.dhs.gov                                30                                     OIG-13-09\n\x0c                                OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n\npersonnel. Agency statistics reveal that CBP declares 60 percent of applicants who are\nadministered a polygraph examination unsuitable for employment because of prior drug\nuse or criminal histories.\n\nIt is important to emphasize that the vast majority of employees within DHS are\ndedicated civil servants focused on protecting the Nation. Less than one percent of\nemployees have committed criminal acts or other egregious misconduct.\n\n\n\nCyber Security\nOverview\nCyber security is our Nation\xe2\x80\x99s firewall because it is always on alert for constant threats\nto networks, computers, programs, and data. It contains technologies, processes, and\npractices that protect our systems from attack, damage, or unauthorized access.\n\nChallenges\nIn FY 2012, we reviewed the Department\xe2\x80\x99s efforts to guide components on securing\nportable devices that connect to networks, as well as how several components were\napplying this guidance; examined threats to IT security, including those from\ninternational and insider sources; and performed the annual FederalfInformationf\nSecurityfManagementfActfoff2002 (FISMA), as amended, audit for the Department to\ndetermine its compliance with the development, documentation, and implementation\nof a DHS-wide information security program.\n\nPortable Device Security\n\nIn a June 2012 audit, we determined that DHS still faced challenges using portable\ndevices to carry out its mission and increase the productivity of its employees.36 For\nexample, some components had not developed policies and procedures to govern the\nuse and accountability of portable devices. Unauthorized devices were also connected\nto workstations at selected components. Finally, DHS had not implemented controls to\nmitigate the risks associated with the use of portable devices or to protect the sensitive\ninformation that these devices store and process.\n\nAnother June report showed weaknesses in the component-wide adoption of FEMA\xe2\x80\x99s\nautomated property management system, reporting of lost and stolen laptops,\n\n36\n     DHS-OIG, DHSfNeedsfTofAddressfPortablefDevicefSecurityfRisks (OIG-12-88, June 2012).\n\n\n\nwww.oig.dhs.gov                                          31                                 OIG-13-09\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n\nimplementation of hard drive encryption, use of a standardized laptop image, timely\ninstallation of security patches, documentation of laptop sanitization, and accounting\nfor wireless networks.37 These weaknesses put laptops and the sensitive information\nstored and processed on them at risk of exploitation.\n\nIn a May 2012 audit, we reported that USCIS\xe2\x80\x99 laptop controls did not sufficiently\nsafeguard its laptops from loss or theft and did not protect the data on the laptops from\ndisclosure.38 Specifically, USCIS did not have an accurate and complete inventory of its\nlaptops, and its inventory data was not reported accurately and consistently in\nelectronic databases. Additionally, many laptops were not assigned to specific users;\nUSCIS did not provide adequate physical security for its laptops; and not all of USCIS\xe2\x80\x99\nlaptops used the latest encryption software or operating systems and associated service\npacks.\n\nInternational Threats\n\nIn August 2012, we reported that the NPPD Office of Cybersecurity and Communications\nneeded to establish and implement a plan to further its international affairs program\nwith other countries and industry to protect cyberspace and critical infrastructure.39 For\nmore efficient and effective operations, NPPD should streamline its international affairs\nfunctions to coordinate foreign relations better and consolidate resources. In addition,\nthe United States Computer Emergency Readiness Team needs to strengthen its\ncommunications and information-sharing activities with and among its counterparts to\npromote international incident response and the sharing of best practices.\n\nAlthough TSA has shown progress, it can further develop its cyber security program by\nimplementing insider threat policies and procedures, a risk management plan, and\ninsider threat specific training and awareness programs for all employees. TSA can also\nstrengthen its situational awareness security posture by centrally monitoring all\ninformation systems and augmenting current controls to better detect or prevent\ninstances of unauthorized removal or transmission of sensitive information outside of its\nnetwork.40\n\nFederal Information Security Management Act\n\n\n37\n   DHS-OIG, ProgressfHasfBeenfMadefinfSecuringfLaptopsfandfWirelessfNetworksfatfFEMA (OIG-12-93, \n\nJune 2012).\n\n38\n   DHS-OIG, U.S.fCitizenshipfandfImmigrationfServices\xe2\x80\x99fLaptopfSafeguardsfNeedfImprovements (OIG-12-83, \n\nMay 2012).\n\n39\n   DHS-OIG, DHSfCanfStrengthenfItsfInternationalfCybersecurityfPrograms (OIG-12-112, August 2012).\n\n40\n   DHS-OIG, TransportationfSecurityfAdministrationfHasfTakenfStepsfTofAddressfthefInsiderfThreatfButf\n\nChallengesfRemain (OIG-12-120, September 2012).\n\n\n\n\nwww.oig.dhs.gov                                       32                                           OIG-13-09\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                      Department of Homeland Security\n\n\nAlthough the Department\xe2\x80\x99s efforts have resulted in some improvements in its security\nprogram, components are still not executing all Department\xe2\x80\x99s policies, procedures, and\npractices. DHS needs to improve its oversight of the components\xe2\x80\x99 implementation of its\npolicies and procedures to ensure that all information security weaknesses are tracked\nand remediated, and to enhance the quality of system authorizations. Other\ninformation security program areas also need improvement including configuration\nmanagement, incident detection and analysis, specialized training, account and identity\nmanagement, continuous monitoring, and contingency planning.\n\nAccomplishments\nDHS and its components have taken actions to govern, track, categorize, and secure\nportable devices in support of their missions. Specifically, DHS and some components\nhave developed policies, procedures, and training on the use of portable devices.\nAdditionally, some components include portable devices as part of overall accountable\npersonal property inventory. FEMA has improved its inventory and configuration\nmanagement controls to protect its laptop computers and the sensitive information it\nstores and processes. It has also implemented technical controls to protect the\ninformation stored on and processed by its wireless networks and devices.\nThreats to, and emanating from, cyberspace are borderless and require robust\nengagement and strong partnerships with countries around the world. Thus, the NPPD\nhas established multiple functions to support its international affairs program, to\npromote cyber security awareness and foster collaboration with other countries and\norganizations. To foster collaboration and develop international cyber security\npartnerships, NPPD and its subcomponents participate in international cyber exercises,\ncapacity building workshops, and multilateral and bilateral engagements. The\ndirectorate also uses innovative technologies to share cyber data with its partner\nnations.\n\nTSA\xe2\x80\x99s progress in addressing the IT insider threat is evidenced by its agency-wide Insider\nThreat Working Group and Insider Threat Section responsible for developing an\nintegrated strategy and program to address insider threat risk. Further, TSA conducted\ninsider threat vulnerability assessments that included personnel, physical, and\ninformation systems at selected airports and offsite offices, as well as reviews of\nprivileged user accounts on TSA unclassified systems. Additionally, TSA has\nstrengthened its Security Operations Center responsible for day-to-day protection of\ninformation systems and data that can detect and respond to insider threat incidents.\n\nThe FederalfInformationfSecurityfManagementfActfevaluation showed that the\nDepartment continued to improve and strengthen its security program.41 Specifically,\n\n41\n     Title III of the E-GovernmentfActfoff2002, Public Law 107-347.\n\n\n\nwww.oig.dhs.gov                                            33                          OIG-13-09\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n\nDHS implemented a performance plan to improve in four key areas: remediation of\nweaknesses in plans of action and milestones, quality of certification and accreditation,\nannual testing and validation, and security program oversight.\n\n\nOIG Focus in 2013\nIn planning projects for FY 2013, we have placed particular emphasis on major\nmanagement challenges, while aligning our work with DHS\xe2\x80\x99 missions and priorities in its\nStrategicfPlanfforfFiscalfYearsf2012fThroughf2016.f In addition, we will respond to\nlegislative mandates, as well as undertake congressionally requested projects that may\narise. DHS\xe2\x80\x99 mission is to prevent terrorism and enhance security, secure and manage\nour borders, enforce and administer our immigration laws, safeguard and secure\ncyberspace, and ensure resilience to disaster. The Department places priority on\nproviding essential support to national and economic security and on maturing and\nbecoming stronger.\n\nIn the mission areas of intelligence, transportation security, border security,\ninfrastructure protection, and disaster preparedness and response, we are planning\nreviews of TSA, CBP, and FEMA, among other components and directorates. In addition\nto projects already in progress, our upcoming work will cover various aspects of airport\nsecurity and passenger screening, securing our land borders, and disaster assistance.\nWe also have work underway and are planning to review programs at USCIS, the USCG,\nand ICE. In the area of accountability, we are examining or plan to examine DHS\xe2\x80\x99 and its\ncomponent\xe2\x80\x99s and directorate\xe2\x80\x99s controls over acquisitions and critical financial systems\nand data, information security, privacy stewardship, management of disaster\npreparedness grants, and cyber security, among other mandated and discretionary\nreviews.\n\nAlthough not all planned projects may be completed in the upcoming fiscal year, we will\ncontinue to work with DHS to enhance effectiveness and efficiency and prevent waste,\nfraud, and abuse.\n\n\n\n\nwww.oig.dhs.gov                                34                                     OIG-13-09\n\x0c                  OFFICE OF INSPECTOR GENERAL\n                    Department of Homeland Security\n\n\n\nAppendix A\nManagement Comments to the Draft Report\n\n\n\n\nwww.oig.dhs.gov                    35                 OIG-13-09\n\x0c                                  OFFICE OF INSPECTOR GENERAL\n                                      Department of Homeland Security\n\n\n                                                                                       U.S. Depll1ment 01 Hornelilnd Suuri!),\n\n\n\n                                                                               "\\\'9\n                                                                                7. \'\n                                                                                       WI.binliton, DC 20528\n\n\n\n                                                                                            Homeland\n                                                                                        1   Security\n                                                   November 1,2012\n\n\n         Charles K. Edwards\n         Acting Inspector General\n         Office of Inspector General\n         u.s. Department of Homeland Security\n         245 Murray Lane SW, Building 41 0\n         Washington, DC 2052&\n\n         Re: OIG Draft Report: "Major Management Challenges Faci.ng the Department of Homeland\n             Security, Fiscal Year (FY) 20 12" (Project No. 12-169-AUD-NONE)\n\n         D~ar   Mr. Edwl::Irds:\n\n                Thank you for the opportunity to review and comment on this draft report. rhe U.S.\n         Department of Homeland Security (DHS) appreciates the Office of Inspector General\'s (OIG\'s)\n         perspective on the most serious management and perfonnance challenges fac ing the Department.\n         A more detailed response is provided in the Department\'s FY 2012 Annual Financial Report\n         (AFR).\n\n                This month marks the tenth anniversary of the crcation of DHS, the largest federal\n         reorganization since the formation of the Department of Defense. Since its inception, DHS has\n         made significant progress becoming a more effective and integrated Department, strengthening\n         the homeland security enterprise. and building a more secure America that is better equipped to\n         confront the range of threats our Nation faces. As Secretary Napolitano has stated, "America is a\n         stronger. safer, and more resilient country because of the work DHS and its many partners do\n         every day."\n\n                 The Department continues to grow and mature by strengthening and building upon\n         existing capabilit ies, e nham.:ing partne rships acrnss a ll levt:1s of government and with the private\n         sector, and stream lining operations and increasing efficiencies within its five key mission areas:\n         (I) preventing terrorism and enhancing security, (2) securing and managing our borders, (3)\n         enforcing and adm inistering our immigration laws, (4) safeguard ing and securing cyberspace,\n         and (5) ensuring resilience to disasters.\n\n                 Through frameworks such as the Quadrennial Homeland Security Review, BotTOm-Up\n         Review, and DHS Stralegic PlanJor FYs 2012- 2016, DHS has developed ::lOd implemented a\n         comprehensive, strategic management approach to cnhance Department-wide maturation and\n         integration. DHS has also made significant progress to integrate and transform its management\n         func tions through the il1fegraled SlraJegy, first published in January 2011 , which presents a clear\n         roadmap to transfonn management by enhancing both vertical and horizontal integration. The\n         strategy focuses on all management disciplines, especially human capital, acquisition, and\n         financial management.\n\n\n\n\nwww.oig.dhs.gov                                                 36                                                              OIG-13-09\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                    Department of Homeland Security\n\n\n\n\n                 The Under Secretary for Managemcnt has led the Department-wide effon to coalesce,\n         or integrate, the Department \'s management infrastructure. The Depanment\'s strategy for the\n         past 2 years has been to make substantial progress to implement 18 spec ific init iatives, each\n         with clear action plans and performance metrics. By doing so, the degree of risk has been\n         reduced proponionately and the Depanment is moving closer to a lransfonnative state. To\n         date, nearly 65 percent of the stated outcomes have been ;\'mostly" or ;\' ful\\y" addressed and the\n         Department is on track to meet the outcome goals for the remaining outcome metrics.\n\n                 Again, thank you for the opportunity to review and comment on this draft report. This\n         report and the Department\'s detailed management response to the issues identified will be\n         included in the Department\'s FY 2012 AFR, as required by law. Technical comments on the\n         draft were previously provided under separate cover for OIG consideration.\n\n                Please feel free to contac t me if you have any questions. We look forward to working\n         with you in the future.\n\n                                               Sincerely,\n\n\n\n                                              t~~m~er\n                                               Director\n                                               Departmental GAO-OIG Liaison Office\n\n\n\n\n                                                            2\n\n\n\n\nwww.oig.dhs.gov                                                 37                                           OIG-13-09\n\x0c                           OFFICE OF INSPECTOR GENERAL\n                               Department of Homeland Security\n\n\nAppendix B\nReport Distribution\nDepartment of Homeland Security\n\nSecretary\nDeputy Secretary\nChief of Staff\nDeputy Chief of Staff\nGeneral Counsel\nExecutive Secretary\nDirector, GAO/OIG Liaison Office\nAssistant Secretary for Office of Policy\nAssistant Secretary for Office of Public Affairs\nAssistant Secretary for Office of Legislative Affairs\nUnder Secretary for Management\nChief Financial Officer\nChief Information Officer\nChief Security Officer\nActing Chief Privacy Officer\n\nOffice of Management and Budget\n\nChief, Homeland Security Branch\nDHS OIG Budget Examiner\n\nCongress\n\nCongressional Oversight and Appropriations Committees, as\nappropriate\n\n\n\n\nwww.oig.dhs.gov                                  38              OIG-13-09\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this document, please call us at (202) 254-4100, fax your\nrequest to (202) 254-4305, or e-mail your request to our Office of Inspector General\n(OIG) Office of Public Affairs at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov.\n\nFor additional information, visit our website at: www.oig.dhs.gov, or follow us on Twitter\nat: @dhsoig.\n\nOIG HOTLINE\n\nTo expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any\nother kinds of criminal or noncriminal misconduct relative to Department of Homeland\nSecurity (DHS) programs and operations, please visit our website at www.oig.dhs.gov\nand click on the red tab titled "Hotline" to report. You will be directed to complete and\nsubmit an automated DHS OIG Investigative Referral Submission Form. Submission\nthrough our website ensures that your complaint will be promptly received and\nreviewed by DHS OIG.\n\nShould you be unable to access our website, you may submit your complaint in writing\nto: DHS Office of Inspector General, Attention: Office of Investigations Hotline, 245\nMurray Drive, SW, Building 410/Mail Stop 2600, Washington, DC, 20528; or you may\ncall 1 (800) 323-8603; or fax it directly to us at (202) 254-4297.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'